Mostafa Al-A’sar got a LinkedIn DM from ‘Haifa Kareem’ promising a gig. That was January 2024. By day’s end, he’d nearly handed his Google account to hackers on a platter.
That’s the Bitter hack-for-hire campaign in action—slick, persistent, and aimed square at MENA journalists who dare criticize governments. Access Now, Lookout, and SMEX blew the lid off this mess, revealing attacks from 2023 through 2025 that zeroed in on Egyptian critics and a Lebanese reporter. No joke: one victim’s Apple account got fully pwned, with attackers slapping on a virtual device for endless data slurps.
Phishing That Feels Too Real
Short version? Bad actors posed as Apple Support via iMessage and WhatsApp. Click the link—boom, fake login page steals credentials and 2FA codes. Domains like signin-apple.com-en-uk[.]co or telegram.com-en[.]io? They’re not subtle, but they worked.
“The phishing campaign included persistent attacks via iMessage/Apple Messenger and WhatsApp app, […] impersonating Apple Support,” SMEX reported.
And get this—the Google hit on Al-A’sar? Pure OAuth wizardry. No fake domains needed. Just a Rebrandly-shortened Zoom link that funneled him to a malicious app begging for ‘permissions.’ Google’s own sign-in flow, twisted against you. If you’re logged in? It just asks nicely for access. Brilliant. Terrifying.
Al-A’sar and Ahmed Eltantawy—both Egyptian firebrands with prison stints—fought it off. The Lebanese journo? Not so lucky on round one.
Look, we’ve seen nation-state phishing before. Remember Pegasus? NSO Group’s spyware darling, hawked to the highest bidder. But Bitter? Lookout pins this crew to Indian interests, grinding away since 2022. Hack-for-hire, sure—but with that government whiff, it’s straight-up digital repression outsourcing.
My hot take: this isn’t random. It’s a page from India’s Quietkill playbook—remember those 2023 Microsoft warnings about Indian hackers scraping Outlook data from journalists worldwide? Same vibe. MENA’s a hotspot now because Egypt’s clampdown on critics needs eyes everywhere, and Lebanon’s chaos is low-hanging fruit. Prediction? Expect Telegram and Signal fakes to spike as targets wise up to Apple bait.
Why Target Journalists Now?
Governments hate loose lips. Al-A’sar and Eltantawy? They’ve roasted Egypt’s regime from exile. The anonymous Lebanese? Dodging the same surveillance net that’s snared activists region-wide.
But here’s the kicker—those com-ae[.]net domains? They overlap with ESET’s ProSpy Android spyware drops in the UAE. Signal ‘encryption plugins’ that actually phone home with your SMS, contacts, files. No coincidence. This hack-for-hire shop’s building a regional dragnet, one phish at a time.
Persistent doesn’t cover it. Waves of messages. Sockpuppet LinkedIn pros. Zoom invites from nowhere. Attackers don’t quit; they adapt. Apple to Google. iMessage to WhatsApp. Even Signal got name-checked.
And the infrastructure? Rebrandly for stealth, legitimate OAuth flows for trust. It’s hack-for-hire evolution—cheaper than zero-days, deadlier than bulk sprays.
Is Bitter India’s Dirty Secret?
Lookout says yes: ties to Indian intel ops. No smoking gun, but patterns scream state-backed. Bitter’s been at it since ‘22, hoovering comms for the homeland.
Skeptical? Fair. But when domains echo UAE spyware and targets are all regime-bashers, Occam’s razor points to geopolitics. India cozying up to Gulf states? MENA surveillance fits the alliance. Egypt’s Sisi owes favors; Lebanon’s a proxy playground.
Corporate spin? None here—these are NGOs calling it out. No vendor fluff. Just cold facts: accounts breached, data at risk, broader spyware links.
Journalists aren’t safe. Period.
Neither are you, if you’re vocal.
How Do These Attacks Actually Work?
Step one: Recon. LinkedIn sockpuppets fish for emails, numbers.
Step two: Delivery. iMessage pops: ‘Verify your Apple ID now!’ Link leads to credential harvester.
OAuth twist—victim consents to ‘app access.’ Attacker reads mail, calendars, Drive. All legit, no alerts tripped.
Compromise confirmed? Virtual device joins the party. Persistent spying, zero clicks needed.
SMEX nailed the Lebanese case: full Apple takeover on May 19, 2025. Second wave flopped—victim got wise.
But why no spyware payload? Access Now speculates: phishing’s the opener. Data harvest first, malware later. Smart. Deniable.
Spot the Scams Before They Spot You
Red flags? Unsolicited ‘support’ alerts. Weird domains (facetime.com-en[.]io? Come on). Zoom from strangers.
Fixes: Hardware keys for 2FA. Passkeys where possible. Check app permissions—revoke the shady ones.
And LinkedIn? Scrub your profile. No numbers for ‘recruiters.’
Governments won’t stop. Neither should you.
This Bitter mess? It’s the new normal for MENA watchdogs. Indian hackers playing middleman for Arab autocrats. Data’s the prize—your words, contacts, secrets.
Wake up.
🧬 Related Insights
- Read more: FBI Tallies $17.7 Billion Cyber Fraud Haul: Crypto Kings, AI Deepfakes, and Your Wallet’s Nightmare
- Read more: The PoC Cliff: When Your Automated Pentesting Tool Runs Dry
Frequently Asked Questions
What is the Bitter hack-for-hire group?
Bitter’s a threat cluster linked to Indian government interests, running phishing and espionage ops since 2022. They target high-value folks like journalists for intel grabs.
How to protect against Bitter phishing attacks?
Ditch SMS 2FA for app authenticators or hardware keys. Scrutinize links—hover first. Use password managers to flag fakes.
Are MENA journalists safe from these hacks?
No. Attacks hit Egypt and Lebanon hard; overlaps with UAE spyware suggest a growing regional threat.
